tests: issue 5223 for 6

diff --git a/tests/base64-issue-5223-6/README.md b/tests/base64-issue-5223-6/README.md
new file mode 100644 (file)
index 0000000..b7f05b8
--- /dev/null
+++ b/tests/base64-issue-5223-6/README.md
@@ -0,0 +1,17 @@
+Description
+===========
+Test corresponding to fix for the behavior of `base64_decode` keyword in case an
+invalid character is encountered.
+For handling of such cases, [RFC 4648](https://www.rfc-editor.org/rfc/rfc4648#section-3.3) has been taken into account.
+
+PCAP
+====
+PCAP comes from the redmine ticket [5223](https://redmine.openinfosecfoundation.org/issues/5223)
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5223
+
+Reported by
+===========
+Brandon Murphy

diff --git a/tests/base64-issue-5223-6/input.pcap b/tests/base64-issue-5223-6/input.pcap
new file mode 100644 (file)
index 0000000..5ecd467
Binary files /dev/null and b/tests/base64-issue-5223-6/input.pcap differ

diff --git a/tests/base64-issue-5223-6/test.rules b/tests/base64-issue-5223-6/test.rules
new file mode 100644 (file)
index 0000000..98d08fe
--- /dev/null
+++ b/tests/base64-issue-5223-6/test.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (msg:"base64 decode - no url_decode"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:relative; base64_data; content:"|9e|"; startswith; sid:1; rev:1;)
+alert http any any -> any any (msg:"base64 decode - url_decode"; flow:established,to_server; http.cookie; url_decode; content:"foobar="; base64_decode:relative; base64_data; content:"|9e|"; sid:2; rev:1;)
+alert http any any -> any any (msg:"base64 decode - no url_decode, proves no base64_data buffer via pcre"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:relative; base64_data; pcre:"/./"; sid:3; rev:1;)
+alert http any any -> any any (msg:"base64 decode - no url_decode grab only the first two bytes"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:bytes 2,relative; base64_data; content:"|9e|"; startswith; sid:4; rev:1;)

diff --git a/tests/base64-issue-5223-6/test.yaml b/tests/base64-issue-5223-6/test.yaml
new file mode 100644 (file)
index 0000000..b21bf1a
--- /dev/null
+++ b/tests/base64-issue-5223-6/test.yaml
@@ -0,0 +1,156 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: base64 decode - no url_decode
+      alert.signature_id: 1
+      app_proto: http
+      dest_ip: 172.16.188.115
+      dest_port: 80
+      event_type: alert
+      flow.bytes_toclient: 108
+      flow.bytes_toserver: 262
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      http.hostname: foo.bar
+      http.http_method: GET
+      http.length: 0
+      http.protocol: HTTP/1.1
+      http.url: /
+      proto: TCP
+      src_ip: 192.168.237.128
+      src_port: 60078
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: base64 decode - url_decode
+      alert.signature_id: 2
+      app_proto: http
+      dest_ip: 172.16.188.115
+      dest_port: 80
+      event_type: alert
+      flow.bytes_toclient: 108
+      flow.bytes_toserver: 262
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      http.hostname: foo.bar
+      http.http_method: GET
+      http.length: 0
+      http.protocol: HTTP/1.1
+      http.url: /
+      proto: TCP
+      src_ip: 192.168.237.128
+      #src_port: 60078
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: base64 decode - no url_decode, proves no base64_data buffer
+        via pcre
+      alert.signature_id: 3
+      app_proto: http
+      dest_ip: 172.16.188.115
+      dest_port: 80
+      event_type: alert
+      flow.bytes_toclient: 108
+      flow.bytes_toserver: 262
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      http.hostname: foo.bar
+      http.http_method: GET
+      http.length: 0
+      http.protocol: HTTP/1.1
+      http.url: /
+      proto: TCP
+      src_ip: 192.168.237.128
+      src_port: 60078
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: base64 decode - no url_decode grab only the first two bytes
+      alert.signature_id: 4
+      app_proto: http
+      dest_ip: 172.16.188.115
+      dest_port: 80
+      event_type: alert
+      flow.bytes_toclient: 108
+      flow.bytes_toserver: 262
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      http.hostname: foo.bar
+      http.http_method: GET
+      http.length: 0
+      http.protocol: HTTP/1.1
+      http.url: /
+      proto: TCP
+      src_ip: 192.168.237.128
+      src_port: 60078
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.16.188.115
+      dest_port: 80
+      event_type: http
+      http.hostname: foo.bar
+      http.http_method: GET
+      http.length: 0
+      http.protocol: HTTP/1.1
+      http.url: /
+      proto: TCP
+      src_ip: 192.168.237.128
+      src_port: 60078
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      app_proto: http
+      dest_ip: 172.16.188.115
+      dest_port: 80
+      event_type: flow
+      flow.age: 0
+      flow.alerted: true
+      flow.bytes_toclient: 108
+      flow.bytes_toserver: 262
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      flow.reason: shutdown
+      flow.state: established
+      proto: TCP
+      src_ip: 192.168.237.128
+      src_port: 60078
+      tcp.ack: true
+      tcp.psh: true
+      tcp.state: established
+      tcp.syn: true
+      tcp.tcp_flags: 1a
+      tcp.tcp_flags_tc: '12'
+      tcp.tcp_flags_ts: 1a